diff options
author | Damien Miller <djm@mindrot.org> | 2006-08-19 00:23:15 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2006-08-19 00:23:15 +1000 |
commit | 565ca3f60058f22d083572930833aaff2292ac20 (patch) | |
tree | b3e6cb3be750d8492e987a26bba0a01d5df825c7 /servconf.c | |
parent | 1c89ce074920a11ac1eb2093867e50c869d05480 (diff) |
- dtucker@cvs.openbsd.org 2006/08/14 12:40:25
[servconf.c servconf.h sshd_config.5]
Add ability to match groups to Match keyword in sshd_config. Feedback
djm@, stevesk@, ok stevesk@.
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 56 |
1 files changed, 55 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c index 5884b95be..1f80de22d 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.c,v 1.164 2006/08/03 03:34:42 deraadt Exp $ */ | 1 | /* $OpenBSD: servconf.c,v 1.165 2006/08/14 12:40:25 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -16,6 +16,7 @@ | |||
16 | #include <sys/socket.h> | 16 | #include <sys/socket.h> |
17 | 17 | ||
18 | #include <netdb.h> | 18 | #include <netdb.h> |
19 | #include <pwd.h> | ||
19 | #include <stdio.h> | 20 | #include <stdio.h> |
20 | #include <stdlib.h> | 21 | #include <stdlib.h> |
21 | #include <string.h> | 22 | #include <string.h> |
@@ -37,6 +38,7 @@ | |||
37 | #include "mac.h" | 38 | #include "mac.h" |
38 | #include "match.h" | 39 | #include "match.h" |
39 | #include "channels.h" | 40 | #include "channels.h" |
41 | #include "groupaccess.h" | ||
40 | 42 | ||
41 | static void add_listen_addr(ServerOptions *, char *, u_short); | 43 | static void add_listen_addr(ServerOptions *, char *, u_short); |
42 | static void add_one_listen_addr(ServerOptions *, char *, u_short); | 44 | static void add_one_listen_addr(ServerOptions *, char *, u_short); |
@@ -497,6 +499,51 @@ add_one_listen_addr(ServerOptions *options, char *addr, u_short port) | |||
497 | */ | 499 | */ |
498 | 500 | ||
499 | static int | 501 | static int |
502 | match_cfg_line_group(const char *grps, int line, const char *user) | ||
503 | { | ||
504 | int result = 0; | ||
505 | u_int ngrps = 0; | ||
506 | char *arg, *p, *cp, *grplist[MAX_MATCH_GROUPS]; | ||
507 | struct passwd *pw; | ||
508 | |||
509 | /* | ||
510 | * Even if we do not have a user yet, we still need to check for | ||
511 | * valid syntax. | ||
512 | */ | ||
513 | arg = cp = xstrdup(grps); | ||
514 | while ((p = strsep(&cp, ",")) != NULL && *p != '\0') { | ||
515 | if (ngrps >= MAX_MATCH_GROUPS) { | ||
516 | error("line %d: too many groups in Match Group", line); | ||
517 | result = -1; | ||
518 | goto out; | ||
519 | } | ||
520 | grplist[ngrps++] = p; | ||
521 | } | ||
522 | |||
523 | if (user == NULL) | ||
524 | goto out; | ||
525 | |||
526 | if ((pw = getpwnam(user)) == NULL) { | ||
527 | debug("Can't match group at line %d because user %.100s does " | ||
528 | "not exist", line, user); | ||
529 | } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { | ||
530 | debug("Can't Match group because user %.100s not in any group " | ||
531 | "at line %d", user, line); | ||
532 | } else if (ga_match(grplist, ngrps) != 1) { | ||
533 | debug("user %.100s does not match group %.100s at line %d", | ||
534 | user, arg, line); | ||
535 | } else { | ||
536 | debug("user %.100s matched group %.100s at line %d", user, | ||
537 | arg, line); | ||
538 | result = 1; | ||
539 | } | ||
540 | out: | ||
541 | ga_free(); | ||
542 | xfree(arg); | ||
543 | return result; | ||
544 | } | ||
545 | |||
546 | static int | ||
500 | match_cfg_line(char **condition, int line, const char *user, const char *host, | 547 | match_cfg_line(char **condition, int line, const char *user, const char *host, |
501 | const char *address) | 548 | const char *address) |
502 | { | 549 | { |
@@ -527,6 +574,13 @@ match_cfg_line(char **condition, int line, const char *user, const char *host, | |||
527 | else | 574 | else |
528 | debug("user %.100s matched 'User %.100s' at " | 575 | debug("user %.100s matched 'User %.100s' at " |
529 | "line %d", user, arg, line); | 576 | "line %d", user, arg, line); |
577 | } else if (strcasecmp(attrib, "group") == 0) { | ||
578 | switch (match_cfg_line_group(arg, line, user)) { | ||
579 | case -1: | ||
580 | return -1; | ||
581 | case 0: | ||
582 | result = 0; | ||
583 | } | ||
530 | } else if (strcasecmp(attrib, "host") == 0) { | 584 | } else if (strcasecmp(attrib, "host") == 0) { |
531 | if (!host) { | 585 | if (!host) { |
532 | result = 0; | 586 | result = 0; |